Robinhood Data Breach Leads Data Events in November; Number of Data Compromises Reaches an All-Time High

• Robinhood, a stock trading platform, suffered a data breach after an unauthorized third party obtained personal information when they socially engineered a customer support team member. The Robinhood data breach impacted approximately seven million customers.
• A supply chain attack against GoDaddy led to the email addresses of up to 1.2 million active and inactive Managed WordPress customers being compromised.
• Costco encountered the first data breach of 2021 due to a skimming device. Personnel from the retail corporation located the device during a routine check at one of the company’s warehouses.
• Anyone impacted by a data breach should follow the advice in the notification letter, change their password to a long and unique passphrase and keep an eye out for phishing attemptsthat claim to be from the breached organization.
• For more information about November’s key data events and other data breach news, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.
• If you believe you are the victim of identity theft from a data breach, like the Robinhood data breach, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website idtheftcenter.org.

2021 Surpasses Previous All-Time High Number of Data Breaches

The Identity Theft Resource Center (ITRC) has been tracking publicly-reported data compromises since 2005. Over the last 15 years, the high-water mark for breaches was in 2017 with 1,529 data compromises. That number was surpassed in November 2021, a month in which the ITRC tracked 164 data compromises. The ITRC has now tracked 1,580 compromises through 11/30/21. The next question now is how high the number of data compromises will go.

Notable November Data Breaches

Of the 164 data compromises the ITRC tracked in November, three stand out: Robinhood, GoDaddy and Costco. Robinhood suffered a social engineering attack that impacted seven million people. GoDaddy was just the latest hit by a supply chain attack, affecting millions. At Costco, a credit card skimming device may have stolen some shopper’s payment card information, and was the first attack of its kind in 2021.

Robinhood

According to Bleeping Computer, stock trading platform Robinhood recently disclosed a data breach after their systems were attacked. A threat actor gained access to the personal information of around seven million customers. The Robinhood data breach led to five million customers’ email addresses being exposed, two million people’s full names affected, phone numbers for several thousand entries, as well as the names, dates of birth and zip codes for 300 people. The Robinhood data breach also led to more extensive account information being exposed for ten people. 

Robinhood says that on November 3, 2021, an unauthorized third party obtained the personal information after they socially engineered a customer support employee by phone and obtained access to certain customer support systems. After Robinhood contained the intrusion, they say the unauthorized party demanded an extortion payment. However, the trading platform informed law enforcement.

Social engineering is when a criminal manipulates an individual into giving them information. Social engineering tactics continue to evolve as a go-to tool for threat actors and can be harmful due to the amount of personal data possibly divulged.

GoDaddy

GoDaddy, a web hosting company, suffered a data event that impacted 1.2 million active and inactive Managed WordPress customers after their email addresses were exposed due to unauthorized third-party access. According to GoDaddy’s data breach notification letter, the company noticed suspicious activity on November 17, 2021, on their WordPress hosting environment. An investigation determined that a threat actor gained access to certain authentication information for administrative services in September. Using a compromised password, the unauthorized third party accessed the provisioning system in GoDaddy’s legacy code base for Managed WordPress.

The information exposed in the GoDaddy data breach due to the supply chain attack includes customer numbers, email addresses associated with the account, WordPress Admin login set at inception, and sFTP and database usernames and passwords. GoDaddy has rotated WordPress Admin login credentials, sFTP passwords and database passwords. User’s websites are still running, but they will not be able to edit content until they reset their passwords.

Costco

An unknown number of Costco shoppers had their names, payment card numbers, expiration dates and CVVs exposed after the first data breach due to a skimming device in 2021. Costco says they discovered a payment card skimming device at one of their warehouses. If unauthorized parties removed information from the device before it was found, payment card information might have been compromised.

Bleeping Computer reports that Costco discovered the skimming device during a routine check by company personnel. In the ITRC’s Q3 2021 Data Breach Analysis, the ITRC noted that there had been no publicly-reported data breaches to date in 2021 attributed to payment card skimming services. Costco is now the first company to suffer a data breach in 2021 due to this method.

What to Do if These Breaches Impact You

Anyone who receives a data breach notification letter should follow the advice offered by the impacted company. The ITRC suggests you immediately change your password and switch to a 12+-character passphrase, change the passwords of other accounts with the same password as the breached account, consider using a password manager, use multi-factor authentication with an app (not SMS/text) and to keep an eye out for phishing attempts that claim to be from the breached organization.  

Robinhood says if you are a customer looking for information on how to keep your account secure, you should visit Help Center > My Account & Login > Account Security on their company website. Customers can also log in to view messages from Robinhood.

In Costco’s data breach notification letter, the retail corporation urges people to check their financial accounts, look for any suspicious activity and contact their financial institution if they notice anything unusual. Costco is also offering identity theft protection services for all impacted customers.

notified

For more information on November data breaches, like the Robinhood data breach, or other data compromises, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.   

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.   

Contact the ITRC

If you believe you are the victim of an identity crime or your identity has been compromised in a data event, you can speak with an ITRC expert advisor toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started.